Samsung Mobile Devices Race Condition Vulnerability - 20230703003

Overview

A use after free vulnerability via race condition in MFC charger driver prior to SMR MAY-2021 Release 1 allows arbitrary write given a radio privilege is compromised.

What is the vulnerability?

CVE-2021-25394 - CVSS v3 Base Score: 6.4

What is vulnerable?

The vulnerability exists in the following products:

• Selected Exynos and Qualcomm devices O(8.1), P(9.0), Q(10.0), R(11.0)

What has been observed?

CISA added this vulnerabilty in their Known Exploited Vulnerabilties catalog on 29 June 2023. There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of two weeks as per E8 (refer Patch Management):

• https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=10
• https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-assessment-process-guide